OCA
/
server-tools
5
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
1630 Commits
13 Branches
0 Tags
45 MiB
Tree: a54882bf07
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'a54882bf07'
${ noResults }
server-tools/auth_brute_force/tests/test_brute_force.py

361 lines
13 KiB
Raw Normal View History

[REF] auth_brute_force: Cover all auth entrypoints (#1219) To fix https://github.com/OCA/server-tools/issues/1125 I needed to refactor the addon. To whitelist IPs now you use a config parameter, which renders res.banned.remote model unneeded. The fix is affected by https://github.com/odoo/odoo/issues/24183 and will not work until it gets fixed upstream due to the technical limitations implied.
7 years ago
  1. # -*- coding: utf-8 -*-
  2. # Copyright 2017 Tecnativa - Jairo Llopis
  3. # License AGPL-3.0 or later (https://www.gnu.org/licenses/agpl).
  5. from threading import current_thread
  6. from unittest import skipUnless
  7. from urllib import urlencode
  9. from mock import patch
  10. from werkzeug.utils import redirect
  12. from odoo import http
  13. from odoo.tests.common import at_install, can_import, HttpCase, post_install
  14. from odoo.tools import mute_logger
  16. from ..models import res_authentication_attempt, res_users
  19. GARBAGE_LOGGERS = (
  20. "werkzeug",
  21. res_authentication_attempt.__name__,
  22. res_users.__name__,
  23. )
  26. @at_install(False)
  27. @post_install(True)
  28. # Skip CSRF validation on tests
  29. @patch(http.__name__ + ".WebRequest.validate_csrf", return_value=True)
  30. # Skip specific browser forgery on redirections
  31. @patch(http.__name__ + ".redirect_with_hash", side_effect=redirect)
  32. # Faster tests without calls to geolocation API
  33. @patch(res_authentication_attempt.__name__ + ".urlopen", return_value="")
  34. class BruteForceCase(HttpCase):
  35. def setUp(self):
  36. super(BruteForceCase, self).setUp()
  37. # Some tests could retain environ from last test and produce fake
  38. # results without this patch
  39. # HACK https://github.com/odoo/odoo/issues/24183
  40. # TODO Remove in v12
  41. try:
  42. del current_thread().environ
  43. except AttributeError:
  44. pass
  45. # Complex password to avoid conflicts with `password_security`
  46. self.good_password = "Admin$%02584"
  47. self.data_demo = {
  48. "login": "demo",
  49. "password": "Demo%&/(908409**",
  50. }
  51. with self.cursor() as cr:
  52. env = self.env(cr)
  53. env["ir.config_parameter"].set_param(
  54. "auth_brute_force.max_by_ip_user", 3)
  55. env["ir.config_parameter"].set_param(
  56. "auth_brute_force.max_by_ip", 4)
  57. # Clean attempts to be able to count in tests
  58. env["res.authentication.attempt"].search([]).unlink()
  59. # Make sure involved users have good passwords
  60. env.user.password = self.good_password
  61. env["res.users"].search([
  62. ("login", "=", self.data_demo["login"]),
  63. ]).password = self.data_demo["password"]
  65. @skipUnless(can_import("odoo.addons.web"), "Needs web addon")
  66. @mute_logger(*GARBAGE_LOGGERS)
  67. def test_web_login_existing(self, *args):
  68. """Remote is banned with real user on web login form."""
  69. data1 = {
  70. "login": "admin",
  71. "password": "1234", # Wrong
  72. }
  73. # Make sure user is logged out
  74. self.url_open("/web/session/logout", timeout=30)
  75. # Fail 3 times
  76. for n in range(3):
  77. response = self.url_open("/web/login", bytes(urlencode(data1)), 30)
  78. # If you fail, you get /web/login again
  79. self.assertTrue(
  80. response.geturl().endswith("/web/login"),
  81. "Unexpected URL %s" % response.geturl(),
  82. )
  83. # Admin banned, demo not
  84. with self.cursor() as cr:
  85. env = self.env(cr)
  86. self.assertFalse(
  87. env["res.authentication.attempt"]._trusted(
  88. "127.0.0.1",
  89. data1["login"],
  90. ),
  91. )
  92. self.assertTrue(
  93. env["res.authentication.attempt"]._trusted(
  94. "127.0.0.1",
  95. "demo",
  96. ),
  97. )
  98. # Now I know the password, but login is rejected too
  99. data1["password"] = self.good_password
  100. response = self.url_open("/web/login", bytes(urlencode(data1)), 30)
  101. self.assertTrue(
  102. response.geturl().endswith("/web/login"),
  103. "Unexpected URL %s" % response.geturl(),
  104. )
  105. # IP has been banned, demo user cannot login
  106. with self.cursor() as cr:
  107. env = self.env(cr)
  108. self.assertFalse(
  109. env["res.authentication.attempt"]._trusted(
  110. "127.0.0.1",
  111. "demo",
  112. ),
  113. )
  114. # Attempts recorded
  115. with self.cursor() as cr:
  116. env = self.env(cr)
  117. failed = env["res.authentication.attempt"].search([
  118. ("result", "=", "failed"),
  119. ("login", "=", data1["login"]),
  120. ("remote", "=", "127.0.0.1"),
  121. ])
  122. self.assertEqual(len(failed), 3)
  123. banned = env["res.authentication.attempt"].search([
  124. ("result", "=", "banned"),
  125. ("remote", "=", "127.0.0.1"),
  126. ])
  127. self.assertEqual(len(banned), 1)
  128. # Unban
  129. banned.action_whitelist_add()
  130. # Try good login, it should work now
  131. response = self.url_open("/web/login", bytes(urlencode(data1)), 30)
  132. self.assertTrue(response.geturl().endswith("/web"))
  134. @skipUnless(can_import("odoo.addons.web"), "Needs web addon")
  135. @mute_logger(*GARBAGE_LOGGERS)
  136. def test_web_login_unexisting(self, *args):
  137. """Remote is banned with fake user on web login form."""
  138. data1 = {
  139. "login": "administrator", # Wrong
  140. "password": self.good_password,
  141. }
  142. # Make sure user is logged out
  143. self.url_open("/web/session/logout", timeout=30)
  144. # Fail 3 times
  145. for n in range(3):
  146. response = self.url_open("/web/login", bytes(urlencode(data1)), 30)
  147. # If you fail, you get /web/login again
  148. self.assertTrue(
  149. response.geturl().endswith("/web/login"),
  150. "Unexpected URL %s" % response.geturl(),
  151. )
  152. # Admin banned, demo not
  153. with self.cursor() as cr:
  154. env = self.env(cr)
  155. self.assertFalse(
  156. env["res.authentication.attempt"]._trusted(
  157. "127.0.0.1",
  158. data1["login"],
  159. ),
  160. )
  161. self.assertTrue(
  162. env["res.authentication.attempt"]._trusted(
  163. "127.0.0.1",
  164. self.data_demo["login"],
  165. ),
  166. )
  167. # Demo user can login
  168. response = self.url_open(
  169. "/web/login",
  170. bytes(urlencode(self.data_demo)),
  171. 30,
  172. )
  173. # If you pass, you get /web
  174. self.assertTrue(
  175. response.geturl().endswith("/web"),
  176. "Unexpected URL %s" % response.geturl(),
  177. )
  178. self.url_open("/web/session/logout", timeout=30)
  179. # Attempts recorded
  180. with self.cursor() as cr:
  181. env = self.env(cr)
  182. failed = env["res.authentication.attempt"].search([
  183. ("result", "=", "failed"),
  184. ("login", "=", data1["login"]),
  185. ("remote", "=", "127.0.0.1"),
  186. ])
  187. self.assertEqual(len(failed), 3)
  188. banned = env["res.authentication.attempt"].search([
  189. ("result", "=", "banned"),
  190. ("login", "=", data1["login"]),
  191. ("remote", "=", "127.0.0.1"),
  192. ])
  193. self.assertEqual(len(banned), 0)
  195. @mute_logger(*GARBAGE_LOGGERS)
  196. def test_xmlrpc_login_existing(self, *args):
  197. """Remote is banned with real user on XML-RPC login."""
  198. data1 = {
  199. "login": "admin",
  200. "password": "1234", # Wrong
  201. }
  202. # Fail 3 times
  203. for n in range(3):
  204. self.assertFalse(self.xmlrpc_common.authenticate(
  205. self.env.cr.dbname, data1["login"], data1["password"], {}))
  206. # Admin banned, demo not
  207. with self.cursor() as cr:
  208. env = self.env(cr)
  209. self.assertFalse(
  210. env["res.authentication.attempt"]._trusted(
  211. "127.0.0.1",
  212. data1["login"],
  213. ),
  214. )
  215. self.assertTrue(
  216. env["res.authentication.attempt"]._trusted(
  217. "127.0.0.1",
  218. "demo",
  219. ),
  220. )
  221. # Now I know the password, but login is rejected too
  222. data1["password"] = self.good_password
  223. self.assertFalse(self.xmlrpc_common.authenticate(
  224. self.env.cr.dbname, data1["login"], data1["password"], {}))
  225. # IP has been banned, demo user cannot login
  226. with self.cursor() as cr:
  227. env = self.env(cr)
  228. self.assertFalse(
  229. env["res.authentication.attempt"]._trusted(
  230. "127.0.0.1",
  231. "demo",
  232. ),
  233. )
  234. # Attempts recorded
  235. with self.cursor() as cr:
  236. env = self.env(cr)
  237. failed = env["res.authentication.attempt"].search([
  238. ("result", "=", "failed"),
  239. ("login", "=", data1["login"]),
  240. ("remote", "=", "127.0.0.1"),
  241. ])
  242. self.assertEqual(len(failed), 3)
  243. banned = env["res.authentication.attempt"].search([
  244. ("result", "=", "banned"),
  245. ("remote", "=", "127.0.0.1"),
  246. ])
  247. self.assertEqual(len(banned), 1)
  248. # Unban
  249. banned.action_whitelist_add()
  250. # Try good login, it should work now
  251. self.assertTrue(self.xmlrpc_common.authenticate(
  252. self.env.cr.dbname, data1["login"], data1["password"], {}))
  254. @mute_logger(*GARBAGE_LOGGERS)
  255. def test_xmlrpc_login_unexisting(self, *args):
  256. """Remote is banned with fake user on XML-RPC login."""
  257. data1 = {
  258. "login": "administrator", # Wrong
  259. "password": self.good_password,
  260. }
  261. # Fail 3 times
  262. for n in range(3):
  263. self.assertFalse(self.xmlrpc_common.authenticate(
  264. self.env.cr.dbname, data1["login"], data1["password"], {}))
  265. # Admin banned, demo not
  266. with self.cursor() as cr:
  267. env = self.env(cr)
  268. self.assertFalse(
  269. env["res.authentication.attempt"]._trusted(
  270. "127.0.0.1",
  271. data1["login"],
  272. ),
  273. )
  274. self.assertTrue(
  275. env["res.authentication.attempt"]._trusted(
  276. "127.0.0.1",
  277. self.data_demo["login"],
  278. ),
  279. )
  280. # Demo user can login
  281. self.assertTrue(self.xmlrpc_common.authenticate(
  282. self.env.cr.dbname,
  283. self.data_demo["login"],
  284. self.data_demo["password"],
  285. {},
  286. ))
  287. # Attempts recorded
  288. with self.cursor() as cr:
  289. env = self.env(cr)
  290. failed = env["res.authentication.attempt"].search([
  291. ("result", "=", "failed"),
  292. ("login", "=", data1["login"]),
  293. ("remote", "=", "127.0.0.1"),
  294. ])
  295. self.assertEqual(len(failed), 3)
  296. banned = env["res.authentication.attempt"].search([
  297. ("result", "=", "banned"),
  298. ("login", "=", data1["login"]),
  299. ("remote", "=", "127.0.0.1"),
  300. ])
  301. self.assertEqual(len(banned), 0)
  303. @mute_logger(*GARBAGE_LOGGERS)
  304. def test_orm_login_existing(self, *args):
  305. """No bans on ORM login with an existing user."""
  306. data1 = {
  307. "login": "admin",
  308. "password": "1234", # Wrong
  309. }
  310. with self.cursor() as cr:
  311. env = self.env(cr)
  312. # Fail 3 times
  313. for n in range(3):
  314. self.assertFalse(
  315. env["res.users"].authenticate(
  316. cr.dbname, data1["login"], data1["password"], {}))
  317. self.assertEqual(
  318. env["res.authentication.attempt"].search(count=True, args=[]),
  319. 0,
  320. )
  321. self.assertTrue(
  322. env["res.authentication.attempt"]._trusted(
  323. "127.0.0.1",
  324. data1["login"],
  325. ),
  326. )
  327. # Now I know the password, and login works
  328. data1["password"] = self.good_password
  329. self.assertTrue(
  330. env["res.users"].authenticate(
  331. cr.dbname, data1["login"], data1["password"], {}))
  333. @mute_logger(*GARBAGE_LOGGERS)
  334. def test_orm_login_unexisting(self, *args):
  335. """No bans on ORM login with an unexisting user."""
  336. data1 = {
  337. "login": "administrator", # Wrong
  338. "password": self.good_password,
  339. }
  340. with self.cursor() as cr:
  341. env = self.env(cr)
  342. # Fail 3 times
  343. for n in range(3):
  344. self.assertFalse(
  345. env["res.users"].authenticate(
  346. cr.dbname, data1["login"], data1["password"], {}))
  347. self.assertEqual(
  348. env["res.authentication.attempt"].search(count=True, args=[]),
  349. 0,
  350. )
  351. self.assertTrue(
  352. env["res.authentication.attempt"]._trusted(
  353. "127.0.0.1",
  354. data1["login"],
  355. ),
  356. )
  357. # Now I know the user, and login works
  358. data1["login"] = "admin"
  359. self.assertTrue(
  360. env["res.users"].authenticate(
  361. cr.dbname, data1["login"], data1["password"], {}))